Computer Security for NGOs

In an era when government spying, corporate hacking scandals, major security flaws, online stalking and social media shaming are rarely out of the headlines, it can seem like the internet has grown up into a deep dark forest, with wolves lurking behind every tree.

Luckily, there are easy steps to help keep you and your organisation safe and private online. This article helps you assess risks to your computer security and introduces some practical tools for addressing them. I’ll also touch briefly on the legal framework that applies within Germany.

Why is understanding computer security important for NGOs?

I believe all individuals and private organisations have a fundamental right to data privacy and security. There is a strong legal framework in the EU and in Germany to protect this right, and understanding and complying with it is important for all organisations. However, there are specific additional reasons why computer security is important to the non-profit sector.

Non-profit organisations often work with vulnerable or highly politicized people who may be of special interest to governments, corporations or criminals. This could include groups such as refugees, activists, or the homeless. Some organisations work with people who need to keep certain facts about their identity secret, such as their sexual orientation or medical history.

We’re living in the age of “big data”, and like everyone, non-profits collect more digital data than they did in the past. Data doesn’t just mean names and addresses, or information stored in a spreadsheet. It includes research, surveys, mailing lists, meeting records such as agendas, minutes and attendance lists, audio and video recordings, emails and social media conversations. The more data we collect the harder it becomes to safely manage it.

We have a responsibility to protect the privacy, safety and dignity of the groups we are seeking to serve, and we therefore have a responsibility to take every precaution with the data entrusted to us. We also have a responsibility to help those we work with to better protect themselves online and in using their mobile devices, especially when they may not be technologically literate, as with children, the elderly, or people with cognitive disabilities.

Diagnosing the problem: Threat Models

We want to keep our data private, secure, and protected. That is, only appropriate people can access it, it is very difficult to steal or corrupt, and if it is lost through hardware failure, we can replace it from a backup.

Depending on the work that your organisation does, there will be varying risks to this ideal scenario. Identifying the most significant threats that apply to your situation will help you develop a computer security strategy and determine where to allocate resources.

This section outlines four key threat models for you to consider.

Government spying

Government intelligence organisations all around the world collect data from the internet. They may deliberately attempt to gather data on known individuals, but many also collect mass data indiscriminately in the form of metadata. Government agencies also monitor social media, and regularly request and receive data about specific people from tech companies such as Google and Facebook.

Government spying might be your most significant threat model if you work with undocumented migrants or with activists from countries with poor human rights records. It’s also a concern if you plan direct action campaigns such as banner drops or protests. You do not have to be doing anything illegal to have your data intercepted and monitored by government agencies.

Corporate data collection

This primarily refers to the mass collection of data by services such as Facebook, Google and Amazon. These companies collect many pieces of data and metadata about you and generally use it to deliver more personalized advertising. They may also pass your data on to third parties. This form of data collection could be problematic for people who would like an aspect of their identity to remain secret, such as medical history or sexual orientation.

An additional and more serious form of surveillance is that which occurs by large corporations against activists that threaten their interests. We’ve personally worked with environmental activists who have been spied on by large oil and gas companies.

Malicious attacks

Malicious attacks refer to attempts to hack into your website, email or social media accounts. These may be simply random attacks by “script kiddies” trying to cause havoc, or they could be motivated by criminal intent, for example to steal credit cards. Malicious attacks are a particular risk on unsecured public networks, such as the WiFi connection at the airports or cafes.

These threats apply to everyone but might be of particular concern to you if you hold sensitive financial information or other data that could represent a financial reward to a would-be hacker.

Physical security risks

Physical security risks are an important and often overlooked threat model. A classic example is leaving complex passwords written on sticky notes next to your screen. Anyone who enters your office has instant access.

This might be of particular concern to you if you work in a shared office building or co-working space where it is hard to monitor people’s access rights. In other cases, you might work with individuals whose living situation means they have heightened physical security risks. Another organisation we have worked with, Papatya, works with girls and young women at risk of forced marriage. They teach girls to use the internet anonymously so that they can access help in secret on a shared computer.

Your rights and responsibilities: understanding the legal framework

Germany is a world leader in legislation to protect data privacy of individuals. This means that if you operate here you may have additional legal obligations over and above that required in the United States or the United Kingdom

Germany’s Federal Data Protection Act is known as the Bundesdatenschutzgesetz or BDSG. The law covers a range of data protection-related issues, including the following requirements:

Organisations cannot collect any personally identifiable information without express permission from an individual (this includes obvious things like name and date of birth, as well as less obvious things like phone number, address, and computer IP address).

The permission that an individual grants must specify how, where, how long, and for what purposes the data may be used.

The individual can revoke the permission at any time.

Organisations must have policies, procedures, and controls in place to protect all data types and categories that fall under the BDSG umbrella.

On request, individuals must be given information on:

recorded data relating to them, including information relating to the source of the data;

the recipients or categories of recipients to which the data is transferred; and

the purpose of recording the data.

It’s important to note that these requirements are fundamentally incompatible with some US legislation, such as the Patriot Act, which allows the US government to request a broad range of data from private companies. Using an American cloud provider to store sensitive data could mean that data ends up in the hands of the NSA or other US government agencies. This topic is covered in more detail below.

It’s a good idea to include a page on your website that outlines your organisation’s data privacy policy, and how and for what purposes you use data that you collect. Link to this page from any forms you use to gather data.

If you use website traffic analysis tools such as Google Analytics or Piwik, you should also have a page on your site that explains to your users how they can opt out of tracking. You can find information about this process for Analytics here and here, and for Piwik here.

Finally, if your website makes use of cookies, you have a legal obligation to inform your website visitors if your site is owned in the EU or primarily targeted at European citizens. The Cookie Collective has clearly explained resources on this topic and tools to help you achieve legal compliance.

The following links contain further information about German data protection laws (in English).

Safer practices: user and password management

Strong passwords are an absolute must. A strong password is at least 12 characters long, includes letters, numbers and special characters such as ! $ % ( ) and /. These are a nightmare to remember, so a widely used technique is to think of a sentence that you can remember:

“The first house I ever lived in was 613 Fake Street. The rent was $400 per month.”

Then use the first letters of each word to create your password, but include all special characters (except spaces) and all numbers:

TfhIeliw613FS.Trw$400pm.

Install a password manager such as LastPass, 1Password or KeePass that stores all of your passwords in an encrypted vault. You only need to remember a single password to gain access to them, and then when you visit a website the password manager will fill in your username and password for you.

If you do need to send a username and password combination via email, consider splitting the communication up over two methods, such as email and SMS.

User access management

Controlling user access to your data involves defining a set of user roles within your organisation. Different user roles will need access to different kinds of data. Examples of user roles in a homeless support network might include:

Case workers

Administrative staff

Senior administrative staff

Marketing and outreach

In this scenario, your case workers will need access to specific information on individuals in contact with the organisation. The marketing team definitely don’t, nor do administrative staff. Only senior administrators should have access to sensitive financial documents.

Think about the user roles that apply to your organisation. Document your decisions and review once or twice a year. Once you’ve decided on the user roles you will use, you can use these to determine who ought to have access to various documents and data sets you have.

If you use Google Apps for Work, or other intranet style software, you can set up these user roles and assign your staff to them. When you grant permissions to a document, you can then grant permissions to the user role, rather than to individual users. This means that if someone leaves or changes role, you can just remove their account from the user role, rather than removing their account from every single document they’ve had access too.

Practical tips: work smarter and safer with sommon tools

Computers

Personal computer security practices are key to developing good organisational security. Make sure you and your team do the following:

Keep the operating system and applications regularly updated.

Use antivirus and firewall software.

Password protect access to your computer – this is especially important if you work in a shared office or co-working space.

Check that your email provider uses SSL (that’s the little green lock icon you can see in the browser URL bar when you log in to your webmail).

Don’t put USB drives into your computer if you don’t know whose they are or where they came from.

Beware of phishing emails and avoid clicking links in emails and keep an eye on the URL.

Be careful about what software you install – a quick Google for “software name virus” could save you many tears later.

Avoid cracked or pirated software.

Use a password manager with different, strong passwords for all your accounts.

Be thoughtful about what information you share on social media sites.

Phones

Smartphones carry large amounts of data, but at the same time they are easy to steal and more likely to be used on unsecured public networks. Geraldine de Bastion and Sandra Mamitzsch from the Tactical Technology Collective have an excellent checklist for improving your phone’s security:

Keep the phone’s operating system updated.

Make regular encrypted backups.

Use strong passwords with a password manager. In iOS you can enable “complex” passwords which are better than the default 4 digits.

Review the access permissions you’ve given different apps – which have access to your calendar or location, for example?

Wordpress

If you use Wordpress (or any other content management system) to power your website, it’s vitally important that you keep the core software and all your plugins updated. You can also improve on the default protection offered by Wordpress with the use of additional plugins. I personally use and recommend UpdraftPlus for backups, Wordfence for antivirus and malware scanning, and iThemes Security to guard against hacking attempts on your login form and database.

Gmail, Google Docs, and Google Apps for Work

Google’s suite of productivity tools are a boon for many small organisations. However, the ease of use means that sometimes you dive right into to using Docs and Gmail before planning for who should have access to your sensitive documents. Here are some tips to help you stay in control:

Be aware who has access to your Google documents and spreadsheets, and especially who has the power to grant access.

Revoke access rights on old projects, for departing staff, and for external collaborators once their contribution is finished.

If you use Google Apps for Work, define and use user roles to set access permissions.

Cloud Storage

When it comes to cloud storage you need to read the fine print and make sure you’re happy with the terms and conditions being offered.

Consider using a European cloud storage provider that keeps your data within the EU rather than sending it to large data farms in North America. Sending data halfway around the world practically guarantees it will be scooped up by government spying agencies. Britain’s GCHQ taps directly into the massive transatlantic connection between the UK and the US. To get an understanding of how this affects you check out this excellent visualisation of who’s snooping on your internet traffic from Berlin-based OpenDataCity.

At the very least you should check that your cloud storage provider is acting in accordance with EU data privacy law by either processing your data within the EU or participating in the EU-US Safe Harbor Framework. Google, Apple and Dropbox have released statements on this issue. Note that Safe Harbor doesn’t necessarily protect your data from US government requests.

Backups

This is one of those annoying jobs that you know you have to do and never quite get around to. Make it more fun with a backup software installation party! Or make Friday backup day! Give out stickers! Do whatever you need to get your team into good backup habits.

For optimal security keep at least two password protected, encrypted hard drive copies of your backups. Remember hard drives don’t last forever – 20% of hard drives fail in the first four years, and keep another copy in the cloud.

A backup is also a massive security risk, so it is a good idea to encrypt backups. Check out the fabulous VeraCrypt tool from French cryptography experts IDRIX.

Taking it further: where to learn more

Germany has a thriving culture of people and organisations committed to protecting data privacy rights and people’s safety online, and there are many resources to help you learn more. Two organisations doing excellent work are the Electronic Frontier Foundation (EFF) and the Tactical Technology Collective, both of whom run regular training sessions. The EFF’s Surveillance Self-Defense and Tactical Tech’s Security in a Box are practical how-to guides for communicating safely online and improving your digital security.

For even more tips and in depth information, check out the full version of this article on Melanie's blog!

About the Author

Melanie Thewlis is a co-founder of Little Web Giants, an online marketing and web development consultancy based in Berlin and Melbourne. She has a diverse range of professional experience working with not for profit organisations, including Friends of the Earth, UK Tar Sands Network, Stiftung Bürgermut, Humboldt University, Stadtbienen e.V. and Melbourne Montessori School. Melanie provides regular free of charge consulting sessions to the non-profit sector at Betterplace Stammtisch and Social Media Sprechstunde events.